Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5CB5AC433F5 for ; Thu, 18 Nov 2021 20:29:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3BD0361288 for ; Thu, 18 Nov 2021 20:29:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234159AbhKRUc1 (ORCPT ); Thu, 18 Nov 2021 15:32:27 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42566 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234077AbhKRUcQ (ORCPT ); Thu, 18 Nov 2021 15:32:16 -0500 Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5A2CCC06174A for ; Thu, 18 Nov 2021 12:29:16 -0800 (PST) Received: by mail-pf1-x432.google.com with SMTP id o4so7168094pfp.13 for ; Thu, 18 Nov 2021 12:29:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=ext/hA9Hqh6Ihnib1lEscDhjZ8UYlTCVA8i531ovqfY=; b=DkxRs4QGBaUfZ5NxWhAUlvfgQ+APMPBEvDxf32GiR+ctjCEwclxDrBmpBI5JKbwmkA cgeVsSzBs3oMnWsbAcEi6WdQ1dxVJsjLPfAZOSuwU+Dl1qCX9ttV+fmrBLBCUbr0JuYq 3HhDrirsunWX4JcVtzu7DG9bT9AHSJBG0fGMk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=ext/hA9Hqh6Ihnib1lEscDhjZ8UYlTCVA8i531ovqfY=; b=7dJJOi2mDkLxHjXh62ka5NjRSTmACGVKR4ztT8zTHzIZa3EdMER4WnifeChOXkEy8r DIoBu3/7byOc2irUCcDY3q3KZWQ57Prd0A3YzovOkThG7ngH3szk8y/t5le60s6Q52/P Nai0rmi+t+LWdGeUCVGriJYgExY/6bNrkqkc5xyD6gXdEf+xjuKJvUxJQargKxlHwrm7 qi1acTpxgdMLB7PWRziZAawDV8OeCx6H17R0fTpRAC8UuUk0CVhtRDncvGNAInaC1ZsF fu5hxjt1RYFQ5CLABbSxiGnO2ESqTjY8Tnn19yXpAAhSem9tyOsGSxs9tnnf6khaw5lp bkcQ== X-Gm-Message-State: AOAM530mOC44gig5aXXcShldExZ/7TrqodiX20NPboQQXxAR1xL1pgxI PM6pEXZeqNDbe65dFO5OFquUCg== X-Google-Smtp-Source: ABdhPJzQ8MzBCn4pE81cMqWmI37cBiPbYo9AexOSLUps3f8fPtCWbmtEvHLk9gDRGThFQpv0lTd+fg== X-Received: by 2002:a63:6747:: with SMTP id b68mr12852566pgc.371.1637267355851; Thu, 18 Nov 2021 12:29:15 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id x18sm448700pfh.210.2021.11.18.12.29.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Nov 2021 12:29:15 -0800 (PST) Date: Thu, 18 Nov 2021 12:29:14 -0800 From: Kees Cook To: Casey Schaufler Cc: Alexander Popov , Steven Rostedt , Linus Torvalds , Lukas Bulwahn , Jonathan Corbet , Paul McKenney , Andrew Morton , Thomas Gleixner , Peter Zijlstra , Joerg Roedel , Maciej Rozycki , Muchun Song , Viresh Kumar , Robin Murphy , Randy Dunlap , Lu Baolu , Petr Mladek , Luis Chamberlain , Wei Liu , John Ogness , Andy Shevchenko , Alexey Kardashevskiy , Christophe Leroy , Jann Horn , Greg Kroah-Hartman , Mark Rutland , Andy Lutomirski , Dave Hansen , Will Deacon , Ard Biesheuvel , Laura Abbott , David S Miller , Borislav Petkov , Arnd Bergmann , Andrew Scull , Marc Zyngier , Jessica Yu , Iurii Zaikin , Rasmus Villemoes , Wang Qing , Mel Gorman , Mauro Carvalho Chehab , Andrew Klychkov , Mathieu Chouquet-Stringer , Daniel Borkmann , Stephen Kitt , Stephen Boyd , Thomas Bogendoerfer , Mike Rapoport , Bjorn Andersson , Kernel Hardening , linux-hardening@vger.kernel.org, "open list:DOCUMENTATION" , linux-arch , Linux Kernel Mailing List , linux-fsdevel , notify@kernel.org, main@lists.elisa.tech, safety-architecture@lists.elisa.tech, devel@lists.elisa.tech, Shuah Khan Subject: Re: [PATCH v2 0/2] Introduce the pkill_on_warn parameter Message-ID: <202111181226.D4538E2F@keescook> References: <77b79f0c-48f2-16dd-1d00-22f3a1b1f5a6@linux.com> <20211115110649.4f9cb390@gandalf.local.home> <202111151116.933184F716@keescook> <59534db5-b251-c0c8-791f-58aca5c00a2b@linux.com> <202111161037.7456C981@keescook> <202111180930.5FA3EF0F59@keescook> <16baa1f4-972d-c781-2d57-508296a83bfb@schaufler-ca.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <16baa1f4-972d-c781-2d57-508296a83bfb@schaufler-ca.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Nov 18, 2021 at 10:30:32AM -0800, Casey Schaufler wrote: > On 11/18/2021 9:32 AM, Kees Cook wrote: > > On Tue, Nov 16, 2021 at 11:00:23AM -0800, Casey Schaufler wrote: > > > On 11/16/2021 10:41 AM, Kees Cook wrote: > > > > On Tue, Nov 16, 2021 at 12:12:16PM +0300, Alexander Popov wrote: > > > > > What if the Linux kernel had a LSM module responsible for error handling policy? > > > > > That would require adding LSM hooks to BUG*(), WARN*(), KERN_EMERG, etc. > > > > > In such LSM policy we can decide immediately how to react on the kernel error. > > > > > We can even decide depending on the subsystem and things like that. > > > > That would solve the "atomicity" issue the WARN tracepoint solution has, > > > > and it would allow for very flexible userspace policy. > > > > > > > > I actually wonder if the existing panic_on_* sites should serve as a > > > > guide for where to put the hooks. The current sysctls could be replaced > > > > by the hooks and a simple LSM. > > > Do you really want to make error handling a "security" issue? > > > If you add security_bug(), security_warn_on() and the like > > > you're begging that they be included in SELinux (AppArmor) policy. > > > BPF, too, come to think of it. Is that what you want? > > Yeah, that is what I was thinking. This would give the LSM a view into > > kernel state, which seems a reasonable thing to do. If system integrity > > is compromised, an LSM may want to stop trusting things. > > How are you planning to communicate the security relevance of the > warning to the LSM? I don't think that __FILE__, __LINE__ or __func__ > is great information to base security policy on. Nor is a backtrace. I think that would be part of the design proposal. Initially, the known parts are "warn or bug" and "pid". > > A dedicated error-handling LSM could be added for those hooks that > > implemented the existing default panic_on_* sysctls, and could expand on > > that logic for other actions. > > I can see having an interface like LSM for choosing a bug/warn policy. > I worry about expanding the LSM hook list for a case where I would > hope no existing LSM would use them, and the new LSM doesn't use any > of the existing hooks. Yeah, I can see that, though we've got a history of the "specialized" hooks getting used by other LSMs. (e.g. loadpin's stuff got hooked up to other LSMs, etc.) -- Kees Cook